As you may or may not know there is massive client-side exploitation movement going on since last year (there has been before but on a less massive scale). There seems to be an ongoing competition between different nations (government orgs.) , revolving around who is able to order chinese servers, deploy client side exploits and run with the false flag the fastest.

Those that had to look into client-side attacks surely feel the pain of doing so, apart from run-time analysis, it takes some in-depth knowledge of the format and common exploitation techniques (recognise shellcode patterns ) to spot and dissect them.

The office file format is a file format on steroids, has it's on MFT and own structure - hell the file format can even fragment - that kind of steroid. One can only imaging how this format came to live, did Microsoft launch an internal competition of who comes up with the most complicated and most difficult file format ever ? Compatibility was surely not the goal [1]. Anyway enough ramblings...

Luckily there has been good progress on the Office fileformat analysis front, there was Officecat [2] and STG Docfileviewer [3] but honestly in terms of supporting analysts, these didn't cut it.

This week Microsoft released "Offvis", basically DOC/XLS/PPT/OLE parser with added bonus of detecting existing attacks. It's main goal is to help researchers and vendors to facilitate the parsing and dissection of the awfully complicated office file format.

On another front, Frank Boldewin releases an awesome automatic and generic doc/ppt/xls dissection tool. The tool extracts macros and information about the structure of the file, and searches for common shellcode patterns, has it's own small disassembly logic and, as an added bonus, brute forces possible XOR and ADD obfuscation loops.

Offvis

As input Offvis takes Office file format files, such as DOC,XLS and so forth. On the left hand it displays raw content of the file, on the upper right it displays the result of the parsing attempt. The display is interactive allowing you to select a field and see the raw content displayed.

If the file exploits includes a commonly and known vulnerability, it will display and warn you. It does not detect any other attempts, including the commonly used method of dropping malicious code using macros.

There seems to be no generic detection of shellcode or malware. In essence Offviss' goal appears to be to help developers and vendors at better understanding the format itself and test the implementations of their parsers. The added CVE recognition of known exploits is a bonus at best, although it has one nifty feature that comes in handy during analysis - defragementation.

Disview - Takes an offset as an argument and tries to disassemble the input

MalHost-Setup - Patches the shellcode as to halt on execution to allow debugging of the shellcode

The results we had with the tool were great, it is the first (to our knowledge) generic utility to detect malicious code within office file formats, by that we mean that it doesn't look for specific patterns of known exploits, but uses generic means to detect possible malicious code with the possibility of false positives (as in all generic methods).

OfficeMalScanner in action analysing a malicious PPT file

It detects the api hashing method commonly used in shellcode at offsets that are located nearby, it then brute forces all possibly XOR keys and matches MZ,PE signatures indicating binary executables, and extracts them to disk. Additionally it rates the different findings in a metric called "Malicious Index", one might imagine this index to be usedto filter out malicious documents at the border setting a minimum "malicious index" to reach.

Malhost-setup can be used to analyse malicious code that directly exploits office - Malhost-setup takes the malicious file as input and the address of the start of the shell code as hexadecimal offset. It then extracts the shellcode and embeds it into an executable allowing to proceed with analysis in your debugger of choice.